Method for monitoring the functions and increasing the operational reliability of a safety-relevant control system

ABSTRACT

A method for monitors the functions and increases the operational reliability of a complex safety-relevant control system. Examples of such control systems include motor vehicle control systems such as a brake system (ABS, TCS, ESP, EHB, EMB), a steering aid (“steering-by-wire”), etc. The method also detects and evaluates system errors. The method detects a system error and evaluates as a group error, brings about a complete system degradation or a partial system degradation corresponding to the group error, e.g. limitation of the system functions and the system availability, localizes the system error and the error source by tests, logical combining of the test results, plausibility considerations, etc. and gradually cancels the restrictions of the system functions and enhances the system availability in dependence on the result of the individual steps for bounding or localizing the system error and the error source.

BACKGROUND OF THE INVENTION

The present invention relates to a method and a system with means formonitoring the functions and increasing the operational reliability of acomplex safety-relevant control system, e.g. a motor vehicle controlsystem, such as ABS, TCS, ESP, a ‘brake-by-wire’ system (EHB, EMB), a‘steering-by-wire’ system, etc., and for detecting and evaluating systemerrors.

Safety-relevant systems among which are the above-mentioned motorvehicle control systems require measures to secure a defined mode ofoperation also in case system errors are detected. It is often notpossible to allocate a detected error in the normal operation directlyto a system component. Errors of this type, also referred to as grouperrors, mostly include only the information that a defined physicalquantity in the system could not be maintained. Only the execution ofspecial tests, also referred to as error localization, permitsidentifying the erroneous system component (that means converting thegroup error into an individual error) and bringing about the suitableeffect on the error (by an appropriate system degradation).

Before error localization can be successfully completed (in some casesthis event is delayed or error localization is not possible because e.g.undervoltage prevails or because an earlier error precludes using thesystem components which are necessary for performing tests), the systemis in an undefined condition: it has taken note of an error conditionbut is not able to bring about the suitable effects on the system.

The solution of this problem is nowadays searched for in various erroranalysis methods, which furnish as a result of the first errorconsideration a decision matrix (‘error->system effect’) by means ofwhich the effects of the errors on the functions of the system can bedetected. In this respect, group errors are among the especiallydifficult cases of analysis because they can be due to errors of manysystem components simultaneously. It is often impossible for this reasonto evaluate the effects of a group error and to find a satisfactoryglobal system degradation stage for the group error. The otherdisadvantage of this approach consists in that the transition from theglobal to the individual error effect is possible only after asuccessful completion of the error localization. When localization isdelayed due to temporary events or even prevented due to errors thatoccurred earlier, continuous duty of the global and mostly seriouscomprehensive system degradation will start. This will in turn haveadverse effects on system availability and system safety.

SUMMARY OF THE INVENTION

In view of the above, an object of the invention is to develop a method,which maintains the control system in each phase in a defined conditionwhen system errors occur, on the one hand, and minimizes the effects ofthe system error on the control, on the other hand.

It has shown that his object can be achieved by the method mentioned inthe attached patent claim, said method essentially basing on thefollowing steps:

-   -   detecting a system error and evaluation as a group error,    -   bringing about a complete system degradation or a partial system        degradation corresponding to the group error, e.g. limitation of        the system functions and the system availability,    -   localizing the system error and the error source by tests,        logical combining of the test results, plausibility        considerations, etc. and    -   gradually canceling the restrictions of the system functions and        enhancing the system availability in dependence on the result of        the individual steps for bounding or localizing the system error        and the error source.

This means the method of the invention safeguards maintaining thedefined function of the system upon the occurrence of errors alreadybefore the error is identified, and minimizing the effects of the erroris taken care of immediately thereafter in the course of errorlocalization.

Further features, advantages and details of the invention can be takenfrom the following description and the accompanying drawing.

BRIEF DESCRIPTION OF THE DRAWINGS

In the drawing,

FIG. 1 is a schematically simplified and exemplary view of theindividual steps upon the occurrence of a group error until localizationof the individual error.

FIG. 2 and FIG. 3 show special localization steps for the embodiment ofFIG. 1 in the same way of illustration as FIG. 1.

DETAILED DESCRIPTION OF THE DRAWINGS

FIGS. 1-3 illustrate the principal mode of operation and effect of themethod of the invention by way of a simplified illustrated embodiment ofthe invention.

According to the invention, the effects of a group error GF, see FIG. 1,is initially equated with a superposition of the effects of allindividual errors F1 to F6. Therefore, the overall system is initiallydegraded when the group error GF occurs. The system degradation iscalculated as a superposition of the effects of the individual errorsF1-F6. Subsequently, the system degradation, i.e. the limitation of thesystem functions and the system availability as a result of the grouperror GF, is cancelled again in dependence on the progress of thelocalization of the individual error F1 to F6.

The group error GF initiates three parallel localizations L11, L21 andL31 in the embodiment according to FIG. 1. In the next step each ofthese localizations can cause two individual errors F1, F2; F3, F4; F5,F6, respectively. Before the first localization step (L11, L21, L31) iscompleted, the system degradation is determined as a superposition ofthe effects of the individual errors F1-F6.

The first localization step (L11, L21, L31) in the example of FIG. 2leads to the result that an error can prevail in the range of thelocalization L21 only. Localizations L11 and L31 are not conspicuous.The individual error sources F1, F2 and F5, F6 are ruled out. Therestrictions of the system function and the system availabilityinitiated prior to this first localization step can be reducedcorresponding to the discovery that only F3, F4 are possible as errorsources. After completion of the second localization step, the systemdegradation is calculated as a superposition of the effects of theindividual errors F3 and F4.

Localization is continued. FIG. 3 refers to this fact. Upon completionof this second localization step it is established in the exampleaccording to FIG. 3 that only one individual error F3 exists in thesystem. The system degradation results directly from the effect of theindividual error F3.

The system error is bound or the error source is localized on the basisof known methods and conclusions of very different types, e.g. by meansof tests, logical combining of the test results, plausibilityconsiderations, etc.

This means that the object of the invention is a method appropriate foruse in technical applications of different type, which renders itpossible to dynamically minimize the system degradation of any optionalsafety-critical system during localization actions being carried out dueto group errors that occurred. This method, which is applicable in everytechnical field, considerably enhances system availability andeventually safeguards a significantly greater extent of system safetythan the currently customary methods do which are based on the scarcelydefinable global effect of the group errors.

It is achieved by the stepwise error localization that the initialsystem degradation due to a group error is minimized constantly andsmoothly until the level of the detected individual error is reached.When localization is delayed due to temporary events or evendiscontinued due to former errors, the system degradation is limited tothe effects of the individual errors being not (yet) ruled out.

In contrast to the previous methods, the method of the inventionprovides among others the following advantages:

The effect of a group error automatically results from the sum of theeasily definable effects for correlated individual errors. An erroranalysis for group errors is eliminated.

The effects of a group error are diminished as the localizationsproceed. Availability and safety of the system is increased dynamicallyto a major degree.

The case that a group error could not be localized until the end doesnot need special treatment.

1. A method for monitoring the functions and increasing the operationalreliability of a complex safety-relevant vehicle control system, and fordetecting and evaluating system errors, the method comprising the stepsof: detecting a system error and evaluation as a group error, bringingabout a system degradation corresponding to the group error byrestricting system functions, localizing the system error and an errorsource by at least one of the functions out of the group consisting oftests, logical combining of the test results and plausibilityconsiderations, and gradually canceling the restrictions of the systemfunctions and enhancing the system availability in dependence on theresult of the step for localizing the system error and the error source.